无DLL线程注入

注意要在release方式编译

//线程函数
DWORD WINAPI RemoteThreadProc(LPVOID lpParam)
{
     PDATA pData = (PDATA)lpParam;

     //定义API函数原型
     HMODULE (_stdcall *MyLoadLibrary)(LPCTSTR);
     FARPROC (_stdcall *MyGetProcAddress)(HMODULE,LPCSTR);
     HMODULE (_stdcall *MyGetModuleHandle)(LPCTSTR);
     int (_stdcall *MyMessageBox)(HWND , LPCTSTR , LPCTSTR,UINT);
     DWORD (_stdcall *MyGetModuleFileName)(HMODULE , LPTSTR , DWORD);

     MyLoadLibrary = (HMODULE (_stdcall *) (LPCTSTR)) pData ->dwLoadLibrary;
     MyGetProcAddress = (FARPROC(_stdcall *)(HMODULE,LPCSTR))pData ->dwGetProcAddress;
     MyGetModuleHandle = (HMODULE (_stdcall *)(LPCSTR))pData ->dwGetModuleHandle;
     MyGetModuleFileName = (DWORD (_stdcall *)(HMODULE,LPTSTR,DWORD nSize))pData ->dwGetModuleFileName;

     HMODULE hModule = MyLoadLibrary( pData ->User32Dll);
     MyMessageBox = (int (_stdcall *)(HWND , LPCTSTR ,LPCTSTR,UINT))MyGetProcAddress
          (hModule , pData->MessageBox);
     char szModuleName[MAX_PATH] = {0};
     MyGetModuleFileName(NULL,szModuleName,MAX_PATH);

     MyMessageBox(NULL,pData->Str,szModuleName,MB_OK);
    
     return 0;
}

void CNoDllInjectDlg::InjectCode(DWORD dwPid)
{
     DWORD error = 0;
     //提升权限
     DebugPrivilege();

     HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPid);
     if( hProcess == NULL)
     {
          MessageBox("OpenProcess Error");
          error = GetLastError();
          return ;
     }

     DATA Data = {0};
     Data.dwLoadLibrary = (DWORD)GetProcAddress(
                              GetModuleHandle("kernel32.dll"),
                              "LoadLibraryA");
     Data.dwGetProcAddress = (DWORD)GetProcAddress(
                                   GetModuleHandle("kernel32.dll"),
                                   "GetProcAddress");
     Data.dwGetModuleHandle = (DWORD)GetProcAddress(
                                   GetModuleHandle("kernel32.dll"),
                                   "GetModuleHandleA");
     Data.dwGetModuleFileName = (DWORD)GetProcAddress(
                                   GetModuleHandleA("kernel32.dll"),
                                   "GetModuleFileNameA");

     lstrcpy(Data.User32Dll , "user32.dll");
     lstrcpy(Data.MessageBox,"MessageBoxA");
     lstrcpy(Data.Str , "Inject Code !!!");

     LPVOID lpData = VirtualAllocEx(hProcess,
                                   NULL,
                                   sizeof(DATA),
                                   MEM_COMMIT | MEM_RESERVE,
                                   PAGE_READWRITE);
     DWORD dwWriteNum = 0;
     WriteProcessMemory(hProcess , lpData , &Data, sizeof(DATA) , &dwWriteNum);

     DWORD dwFunSize = 0x2000;
     LPVOID lpCode = VirtualAllocEx(hProcess,
                                   NULL,
                                   dwFunSize,
                                   MEM_COMMIT,
                                   PAGE_EXECUTE_READWRITE);
     WriteProcessMemory(hProcess , lpCode , RemoteThreadProc , dwFunSize , &dwWriteNum);

     HANDLE hRemoteThread = CreateRemoteThread(hProcess,
                                             NULL,
                                             0,
                                             (LPTHREAD_START_ROUTINE)lpCode,
                                             lpData,
                                             0,
                                             NULL);
     WaitForSingleObject(hRemoteThread,INFINITE);

     CloseHandle(hRemoteThread);
     CloseHandle(hProcess);

}


void CNoDllInjectDlg::OnBtnInject()
{
     // TODO: Add your control notification handler code here
     CString str;
     GetDlgItemText(IDC_EDIT_INJECT,str);
     InjectCode(atoi(str.GetBuffer(str.GetLength())));
}

void CNoDllInjectDlg::DebugPrivilege()
{
     HANDLE hToken = NULL;
     //打开当前进程的访问令牌
     int hRet = OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken);
    
     if( hRet)
     {
          TOKEN_PRIVILEGES tp;
          tp.PrivilegeCount = 1;
          //取得描述权限的LUID
          LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid);
          tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
          //调整访问令牌的权限
          AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL);
         
          CloseHandle(hToken);
     }
    
}
posted @   mynona  阅读(330)  评论(0编辑  收藏  举报
编辑推荐:
· 智能桌面机器人:用.NET IoT库控制舵机并多方法播放表情
· Linux glibc自带哈希表的用例及性能测试
· 深入理解 Mybatis 分库分表执行原理
· 如何打造一个高并发系统?
· .NET Core GC压缩(compact_phase)底层原理浅谈
阅读排行:
· 手把手教你在本地部署DeepSeek R1,搭建web-ui ,建议收藏!
· 新年开篇:在本地部署DeepSeek大模型实现联网增强的AI应用
· Janus Pro:DeepSeek 开源革新,多模态 AI 的未来
· 互联网不景气了那就玩玩嵌入式吧,用纯.NET开发并制作一个智能桌面机器人(三):用.NET IoT库
· 【非技术】说说2024年我都干了些啥
点击右上角即可分享
微信分享提示